On Passwords

The Password Scam – Was I Hacked?

Recently, I had a client receive an email that told him they knew his password and it also revealed it to him. They also stated they had webcam recordings of him along with his salacious search history. The email was attempting to get my client to send him a BitCoin, which at the time of this writing is valued at over $6,000. The password was an older password, though still in some use. The fact that they were able to repeat his password to him was disconcerting. He was concerned he had been hacked, even though he knew there was no salacious search history.

So how did they know his password? They likely got it from one of the many data breaches in which hackers gain access to the usernames and passwords of a company’s customer base. There are methods to look up the email and password combos on the internet and many of these databases are floating around on the internet and dark web.

My first piece of advice to him was to change that password that was given to him on any website that still has it in use. That password is known so consider it burned and never use it again. Below are some other tips you can use when coming up or managing your passwords.

Password Tips

Use a password manager. I prefer to use LastPass because of the convenience, but just select one you like. If you are not comfortable using a password manager based in the cloud, then there are many options out there for you to use that fit the way you want to use it. We all have too many passwords to remember them all and a password manager helps keep your passwords organized so you don’t have post-it notes stuck to your monitor.

Never use a password more than once. Since you are using a password manager, it won’t be that difficult since you don’t have to remember them all. The reason for this is that if you are using the same password for your bank, email, and social media and someone somehow obtains your password, they can now get into your bank and email. You can imagine what a person of ill-repute would do from there.

Use long, complex passwords. Since you are using a password manager, you can do this becuase you can copy and paste or just let the manager fill it in for you. There are random password generators that will give you something like Cu8I%w9^UMJsExL!Cw as a password. These are hard to guess and difficult to brute force. However, there are exceptions to this. If you have a password you have to manually type in frequently or must type it in on your TV with a remote, for example, a long and complex password would be difficult to type. In that case you may want to use the method in this xkcd comic. Basically just select 4 random words and combine them together. For example “untried thesis earthly ranked“. It is fairly easy to remember and easy to type. I would consider

Use Two Factor Authentication where possible. Many websites use what is commonly refered to as Two Factor Authentication. You may have run into this where you type in your use username and password and then you have to wait on a text message that has a code you must type in. This is good because even if your password get stolen, the attacker will still need your phone to get the code to get in. If you have an option for text messaging or the use of an Authenticator App, use the authenticator app when possible. With this you will get your code from an app, such as Google Authenticator, but there are others, and it will give you a time based code to input instead of a text message. This is considered more secure because a highly motivated hacker will try to impersonate you to your mobile service provider and steal your phone number and will be able to impersonate you and get your text code. However, if the app is on your phone they would need to physically steal the phone along with the password.

There are other methods to make good passwords that I haven’t mentioned that are also valid and I use sometimes. The above was just a couple of examples of ways to make better passwords than Monkey123 or qwerty789.

In the email they did state they had webcam video of him from his laptop, which was a lie to scare the end user. If you have a webcam on your laptop consider covering it with a post-it note or bandaid or something similar. There exists viruses that can use your webcam to spy on you so if you are not using your webcam often consider covering it up.